Maintaining a secure Web server on a Linux platform truly tests your knowledge of server-side in Linux, Apache and PHP. You will have to ensure three features on every installation-it should be easy but powerful to use, it should increase your productivity and on top of these two the server should be secure. Across most installations, LAMP server security is easy if you consistently follow certain fundamental rules.
Hardening Linux OS
The most important step is to harden the Linux OS. There are three areas that need attention to ensure robust Linux OS-the kernel, the MAC and the Firewall.
1- Kernel Hardening
Most intruders aim to break beyond the limited user area and gain access to root areas. The limited user nobody is specific to the Operating System. On Red Hat distros, CentOS, Apache is the default. Usually, www-data is associated with Debian family and Ubuntu.
Hence, the trick is to implement a kernel patch with grsecurity. Further, kernel updates should be supported on Ksplice. These two will protect against most vulnerabilities.
2- MAC
Mandatory Access Control or MAC for accessing compilers such as gcc, utilities or system configuration files is a feature, which is not required for regular user of a common web server set-up. Mac Tools such as SELinux for RedHat, AppArmor for Ubuntu minimize attacks largely. However, wrong configuration of these would actually do more harm than good, since attackers can easily be compromise your server by using false-positives. This is one of the main reasons for MAC tools to have non-enforcing modes and allow reconfiguration. Alternatively, setting the permissions to 700 for some of the executions and allowing only the root to use them.
3- Protect server with firewall
It is very important that both incoming as well as outgoing traffic from servers to protect it from malicious attacks. Though, incoming traffic is well studied for malicious content, there are times when local executions too could have malicious scripts. Tested and secure method are iptables chains are set to DROP by default. Here, care has to be taken on running the incoming and outgoing connections. Most web scripts need RSS, external APIs and it has to be ensured that these are allowed. There are options, which work similar to iptables firewalls. Scripts can itself be used to generate the rules to maintain and run the firewall. There are software available to help you do this, like Shorewall or one could even explore Firestarter.
Apache Servers are easy to secure with simple installs
Apache servers like nginx or LiteSpeed are very well protected when mod_security, mod_evasive are installed. Additionally, filtering IP addresses of visitors will further secure the web server. For this, most effective would be the mod_httpbl (belonging to Project Honeypot), which is very effective in blocking known malicious-ware.
Another popular usage is the mod_geoip, as it allows access to visitors from certain countries only.
More commonly, PHP is the ideal server-side open-source software. With some resourceful directives, server-side security maintenance is made easy, though precautions have to be taken with some of the shell code executions.
{module user9-footer}